基于SAVI技术的安全DHCPv6系统研究

发布时间：2018-06-20 18:46

本文选题：DHCPv6 + DHCPv6Snooping技术　；参考：《北京交通大学》2014年硕士论文

【摘要】：IPv6协议的设计解决了困扰互联网发展的地址短缺问题,同时IPv6地址的安全性问题也备受关注。DHCPv6协议用来为主机动态分配IPv6地址和其他配置信息,但协议本身存在的缺陷使得攻击者能够发起基于IPv6源地址的攻击。为了防止源地址攻击,根据IPv6源地址验证的部署结构和地址本身的构成策略,论文提出新的解决方案来确保IPv6地址分配和使用过程中的安全性。论文深入分析了DHCPv6协议,SAVI技术的特点及其安全性,并对CGA地址的组成和生成算法进行了研究。SAVI技术通过接入网内的二层交换机监听DHCPv6协议建立IPv6地址绑定,在二层交换机上过滤非法用户的攻击报文,但由于传输实体问缺乏身份认证,使得报文会受到中间人攻击等安全威胁。CGA机制使用密钥与地址绑定的策略来进行地址拥有者和分配者之间的实体认证。但CGA地址同样也存在安全方面的限制和缺陷,而且CGA地址生成过程复杂,这也限制了CGA机制的实际应用。根据分析结果,论文提出了基于SAVI技术的安全DHCPv6系统,从IPv6源地址验证接入网部署结构的角度,引入DHCPv6Snooping技术,并在基于DHCPv6Snooping技术的安全基础上对CGA机制进行了改进。在同等安全等级时,应用ECC加密算法替代RSA加密算法,减小了密钥长度；同时对Hash2的生成进行了改进,进一步减小了CGA地址的原始报文长度。基于SHA-1哈希算法的分块特点,报文长度的减小减少了压缩函数的迭代调用次数,加快了CGA的生成速度。同时,我们对CGA生成算法的签名进行了优化,增加了CGA地址的抗攻击能力。最后,论文还提供了对基于SAVI技术的安全DHCPv6系统的实验测试和部分测试结果,验证了DHCPv6Snooping技术抵御非法服务器和非法主机的攻击能力。
[Abstract]:The design of IPv6 protocol solves the problem of address shortage, which puzzles the development of Internet. Meanwhile, the security of IPv6 address is also concerned. DHCPv6 protocol is used to dynamically distribute IPv6 address and other configuration information for host. However, the defects of the protocol allow attackers to launch IPv6 source address attacks. In order to prevent the source address attack, according to the deployment structure of IPv6 source address authentication and the configuration strategy of the address itself, this paper proposes a new solution to ensure the security of IPv6 address allocation and usage. This paper deeply analyzes the characteristics and security of DHCPv6 protocol SAVI, and studies the composition and generation algorithm of CGA address. SAVI technology establishes IPv6 address binding by monitoring DHCPv6 protocol by layer 2 switch in access network. Filter the attack message of the illegal user on the layer 2 switch, but because the transmission entity asks the lack of identity authentication, CGA mechanism uses key and address binding strategy to authenticate the entity between the address owner and the distributor. However, CGA addresses also have security limitations and defects, and CGA address generation process is complex, which also limits the practical application of CGA mechanism. Based on the analysis results, this paper proposes a secure DHCPv6 system based on SAVI technology. From the point of view of IPv6 source address verification access network deployment structure, the DHCPv6 snooping technology is introduced, and the CGA mechanism is improved based on the security of DHCPv6 snooping technology. At the same security level, ECC encryption algorithm is used to replace RSA encryption algorithm to reduce key length, and Hash2 generation is improved to further reduce the original message length of CGA address. Based on the block characteristics of SHA-1 hashing algorithm, the reduction of packet length reduces the number of iterated calls of the compression function and speeds up the generation of CGA. At the same time, we optimize the signature of the CGA generation algorithm, and increase the anti-attack ability of CGA address. Finally, the experiment and some test results of secure DHCPv6 system based on SAVI technology are provided to verify the ability of DHCPv6 snooping technology to resist the attack of illegal server and host.
【学位授予单位】：北京交通大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】